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Abstract 

This paper presents a new efficient protocol for k-out-of-n obliv- 
ious transfer which is a generalization of Parakh's l-out-of-2 oblivi- 
ous transfer protocol based on Diffie-Hellman key exchange. In the 
proposed protocol, the parties involved generate Diffie-Hellman keys 
obliviously and then use them for oblivious transfer of secrets. 

1 Introduction 

Oblivious Transfer [13, 12, 11] of secrets between two parties is a very useful 
primitive for the construction of larger cryptographic schemes. It is a method 
by which a commodity from a set is transferred from a sender to a receiver 
based on the receiver's choice. However, the sender should be oblivious to the 
choice that the receiver made, i.e. he should be unaware of which commodity 
the receiver is in possession of at the end of the transaction. Oblivious Trans- 
fer has applications in the areas of secure multiparty computation, private 
information retrieval (PIR), fair electronic contract signing, oblivious secure 
computation, etc. [8, 1, 2, 7]. 

In this paper, we present a fc-out-of-n generalization of the l-out-of-2 
oblivious transfer protocol proposed by Parakh [12]. He presented a pro- 
tocol that established an oblivious key exchange between two parties using 
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the Diffie-Hellman protocol at its core. Once the keys were exchanged the 
parties would use a symmetric key cryptosystem for the transfer of secret 
messages, thus making the transfer more efficient compared to using a public 
key cryptosystem. The scheme may further be used to establish oblivious 
transfer channel for the transfer of large secrets. 

A k-out-of-n Oblivious Transfer is when the receiver can choose to receive 
k secrets from a set of n secrets that the sender is in possession of. For exam- 
ple, Bob may have a set of n files protected by individual passwords that are 
immune to trial-and-error (due to their length or complexity or both). Alice 
is in possession of the passwords for these files. Now, Bob wants to open k 
of these files for which he would need their respective passwords from Alice. 
Also, he doesn't want Alice to know which of the n files he wishes to read. 
Oblivious Transfer can come to the rescue in such a situation. It will enable 
Bob to learn the passwords of the k files that he wants to read and at the 
same time, prevent Alice from knowing which passwords Bob has actually 
acquired. One must also bear in mind that given the k passwords, it should 
not be possible for Bob to compute any of the remaining {n — k) passwords. 

Thus, the goals of Oblivious Transfer can be summarized as follows: 

• Receiver's Privacy: Alice should not be able to determine which k 
secrets Bob has acquired. 

• Sender's Privacy: Bob should not be able to learn any of the remain- 
ing {n — k) secrets using the k secrets that he has received. 

2 Previous Work 

Rabin's Oblivious Transfer protocol allowed the receiver to receive a bit with 
a probability |. The sender on the other hand, could not determine whether 
the receiver has received the bit or not. This idea was later used to establish 
l-out-of-2 OT protocols that can be extended easily to 1-out-of-n protocols 
[3] and these in turn can be converted into k-ovX-oi-n protocols by merely 
running the protocol k times [16]. However, as expected, the computational 
cost of these extended protocols would be high. It is possible to reduce the 
complexity by developing 1-out-of-n and k-ont-oi-n protocols directly from 
primitives (without the successive runs of lower order protocols) [3, 14, 15]. 
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Both the possibihties of successive protocol runs and direct implementation 
have been explored in Oblivious Transfer protocols [ 1] . 

In [5] , Chu and Tzeng devised a scheme for implementation of 1-out-of-n 
and A;-out-of-n protocols based on the Discrete Log problem. They compared 
the cost of their protocol to that of Mu, Zhang, and Varadharajan [9] and 
Naor and Pinkas [10]. Although their 1-out-of-n protocol was of 0{n), their 
/c-out-of-n protocol used k successive runs of their 1-out-of-n protocol. This 
increases the cost of their /c-out-of-n scheme to 0{kn). Wu, Zhang, and 
Wang [17] improved this efficiency in their paper and developed a protocol 
that was of 0{k + t) using a two lock cryptosystem. This protocol does not 
involve the use of Diffie-Hellman based keys. An efficient oblivious transfer 
protocol using Elliptic Curve Cryptography was presented in [11]. 

3 Parakh's Oblivious Transfer Protocol 

Oblivious transfer using Diffie-Hellman keys was presented in [12] . Here, 
Alice encrypts the two secrets she is willing to disclose, under two different 
encryption keys and associates these keys with two distinct choices. She then 
establishes a l-out-of-2 oblivious key exchange such that Bob is able to only 
compute one of the keys based on his choice. Consequently, upon receiving 
the encrypted secrets. Bob is only able to decrypt one of them. 

We provide a brief description of the protocol here in order to make the 
idea of oblivious key exchange clear. However, our description differs slightly 
from that presented in [12] because we note that the pre-requisite of choosing 
two numbers Xi and X2 such that c = x\ = x\ (mod p) is not necessary for 
successful execution of the protocol. 

Assuming a safe prime p, a generator g, and xi and X2 be two randomly 
and uniformly chosen numbers from the field Zp, denote the two secrets that 
Alice possesses by Si and 5*2. She then associates Xi with 5*1 and X2 with S2 
(without disclosing the secrets). She announces these associations to Bob; 
denote Bob's choice by xb- Bob's task is to establish either key Ki or K2 
with Alice, according to which secret he is interested in obtaining. 

The protocol proceeds as follows: 

1. Alice secretly chooses Na^ and sends to Bob: (^^i+^^i (mod p)\ 

2. Bob chooses xb = Xi (if he wants secret Si) or xb = X2 (if he wants 
secret 5*2 ) and secret numbers A^^ and Nb^^; 
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3. Bob sends to alice: i^—^ — j (mod p) and g (mod p); 



4. Alice chooses a number and sends to Bob: 
(mod p); 



1+Na^\NbNa2 



5. Bob computes: Kb = — j ^ (mod p) = 
(mod p); 

6. Alice computes: Ki = q^bNa^n^^ ^^^^ ^) ^nd K2 = {g^B{xi-x2+NA,)^NA, 
(mod p); and 

7. Alice encrypts secret Si using Ki and secret S2 using K2 and sends 
them to Bob. 

From the above sequence we see that if Bob chooses xb = xi, then Kb = 
Ki, and if Bob chooses xb = X2, then Kb = K2. Hence, Bob will only be 
able to retrieve one of the two secrets depending upon his choice, while Alice 
will not be able to determine which secret Bob has retrieved. Hence, Bob 
has obliviously established a secret key, or his choice, with Alice. 



4 Assumptions in this Paper 

Throughout the paper we assume that Alice is the party having possession 
of n secrets or in other words, is the sender. Bob is the party that wants to 
learn one or more secrets obliviously. Alice and Bob are both assumed to 
be honest but curious parties, i.e. in spite of their honesty, they will try to 
obtain more information than they are entitled to. 

The protocol has no way assuring the legitimacy of the secrets handed 
over by Alice to Bob during the transaction. However, for the purpose of this 
protocol we do assume that any message exchange between two parties over 
a channel is duly signed by the sender. In case of a fraud (in the contents 
of the messages) the victim can later use these digital signatures as evidence 
against the adversary during adjudication. 

5 1-out-of-n Oblivious Transfer 

For the security of the protocol, we have exploited the fact that finding 
the exponent e in the equation x*^ (mod p) = y where x and y are given) 
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is equivalent to solving a discrete log problem (DLP). Let g & Zp he the 
generator of the Diffe-Hellman group Zp where p is considered to be a safe 
prime. 

Let there be a set of numbers xi, X2, x„ known both to Alice and Bob. 
Say Alice has n secrets Si^ 82-, Sn and Bob wants to acquire the i^^ secret 
Si, then Bob will choose Xi for the generation of key as per the protocol. 

Let Ka^ be the key used by Alice to encrypt the secret Si for all z, and 
Kb be the key generated by the Bob for decryption of the secret. A^^^ and 
are ephemeral nonces generated by Alice and Nb^ , and Nb^ are the 
ephemeral nonces generated by Bob in the protocol run. 



5.1 Mutual Agreement 

Alice and Bob both agree upon a safe prime p, a generator element g of group 
Zp and the set {xi, X2, Xm-i,Xm}- Each member Xi of the set corresponds 
to the i^^ secret. All the nonces generated by the parties are ephemeral. 

5.2 The Protocol 

1. Alice generates random nonce A^i^ and sends the message Ma = g'^^i~^^i=i^^ 
(mod p) to Bob. 

2. Bob selects xj as per the secret he wants to acquire, and generates 
three nonces A''^^ , Nb^ and A'^g such that Nb^ = k x Nb2 where is a 
factor of A'bi . 

3. Bob sends the message 

^i = ( /. Tmodp) ) (mod p) to Alice. 

4. Bob also sends Mb = g^'^^ (mod p). 

5. Alice generates nonce and the set of keys { A'ai 1 AT^j , • • • , Ka„_i , Ka„ } 
as 

Ka, = ((Mb)^-^i+^-i"'-"^)^^2 (mod p)yk e [1, n]. 



6. Alice sends the message [Mi]^^2 (mod p) to Bob. 
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7. Bob calculates Kb as [[Mi]^^2] "^^2 (mod p). 

8. Alice sends all the secrets encrypted under the respective key {Si is en- 
crypted under the key generated /TaJ, i-e. {Si}ka-,: {S2}KA2y {'S'sIkasv 

{Sn}KA„- 

9. Bob can then decrypt the locked secret that he wished to learn using 
the key Kb he has generated. 



Alice 



Bob 



g.v^.+vr-.x. (,„odp) Chooses X, 

Calculates g^' (mod p) 



M, - ( 9' (mod pU .Vj3 



-Vfl. and 



— Kb = [[MiJ'^'-=]^ 

{-^'l }a-..-i. ■ {S2]ka^: {6'3}k^3 ■■■■ 

Hash{Si].Ha$h{Si)....Hash{Sn) 

Check 

Hash(decrypt({5j}A'.4 . r ■'^b)) Rf-d.evedJJash[Sj) 
Figure 1: 1-out-of-n Oblivious Transfer Protocol Run 



5.3 Security Proof and Cost Analysis 

It is easy to see that if Alice wishes to know Bob's choices she would have to 
know Xi that is conveyed in the form g^^ (mod p). In order to do this, she 
would have to solve the Discrete Log Problem. However, solving the Discrete 
Log Problem is considered computationally intractable. Thus, receiver's pri- 
vacy is assured. 

If Bob wishes to acquire more than the k secrets he is entitled to, he 
will have to obtain the nonce which is again equivalent to solving the 
Discrete Log Problem, thus ascertaining sender's privacy. 
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The computational costs due to exponentiation at Alice's and Bob's ends 
are n + 1 and 2 i.e. 0{n) and 0(1) respectively. The transfer cost is quite 
plainly n + 4 i.e. 0(n). This is equal in order to the protocol proposed in 
[5] which is also based directly on cryptographic primitives. 

5.4 Same Message Attack 

However, the protocol is vulnerable against the same message attack, i.e. if 
all the secrets that Alice sends are the same, then (trivially) no matter which 
secret Bob chooses, Alice will always know the secret he has chosen. This 
attack can be avoided with a simple addition of the following steps to the 
protocol. 

1. Alice also sends the hash value of each secret to Bob that is Hash{Si), 
Hash{S2), ... Hash{Sn)- 

2. Bob verifies if all the hash values received are distinct. If Alice has sent 
distinct secrets and hashed them honestly, then the hashes will prove 
to be different. 

3. Bob then decrj^ts {SAi}Ki using Kb^ calculated by him. 

4. Check if 

Hash(decrypt({5'j}i^^ ,, Kb)) == RecievedHash{Sj) . In case the match 
fails, it means that Alice has either sent him fake hashes in order to 
make them different, or she has hashed them dishonestly. 

Alice will have an extremely low probability of getting away with a Same 
Message Attack. It will happen only in the case that Alice hashes only one 
secret honestly, fakes the other hashes and Bob picks the secret that is hashed 
correctly. We assume that the probability of this happening will be very low. 

6 k-out-of-n Oblivious Transfer 

k-out-of-n Oblivious Transfer scheme is when Alice is in possession of n 
secrets and Bob wishes to learn k of them. This can, of course, be achieved 
by running our 1-out-of-n protocol k times, once for each secret. But, it 
would save computation and transfer cost if we establish a different protocol 
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for the same that is inspired from our 1-out-of-n protocol The proposed A;- 
out-of-n protocol is again rehant on the Discrete Log Problem for its security 
and uses Diffie-Hellman [6] based keys for locking and unlocking secrets. 

6.1 Mutual Agreement 

Alice and Bob both agree upon a safe prime p, a generator element g of group 
Zp and the set Xi, X2, Each member Xi of the set corresponds to the ith 
secret. They also agree upon the number of secrets to be transferred k. 

6.2 The Protocol 

1. Alice generates random nonce N^-^ and sends the message Ma = g'^^i^'^i=i^^ 
(mod p) to Bob. 

2. Bob selects {xi,X2, ■■■Xk} as per the secrets he wants to acquire, and 
generates three nonces A''^^, Nb^ and Nb^ such that Nb^ = k x Nb^ 
where A; is a factor of A^b^. 

3. Bob sends the messages 



Mj = { ,^, (mod |>)Vj to Alice. 

4. Bob also sends Mb = g^'^^ (mod p). 

5. Alice generates nonce and the set of keys {A'ai, Ka2, Ka„_i, Ka„} 
as 

Ka = {{MBf^'^^^=''''~"')^^^ (mod p)Vj G [1, n]. 



6. Alice sends the messages [Mj]^^2 (mod p)Vj G [1, A;] to Bob. 

7. Bob calculates Kb^ as [[Mj]^^2] (mod p)Vi G [1, A;]. 

8. Alice sends all the secrets encrypted under the respective key [Si is en- 
crypted under the key generated K^J, i-e. {Si}ka^: {5'2}if^2' {'S'sli^Agv 

{Sn}KA„- 
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9. Bob can then decrypt the locked secrets that he wished to learn using 
the keys Ks^'^i G [1, /c] he has generated. 

Let us understand the working of the above protocol with an example. 

Example: Alice is in possession of say 5 secrets, 5*1, 5*2, S3,, S^, S5 (i.e. n=5). 
They agree upon the safe prime p = 23, the generator g = 5 of the group Z23 
and the set {1,2,3,4,5} such that 1 corresponds to 5*1, 2 corresponds to 5*2 
and so on. They also decide the number of secrets to be transferred k = 2. 

1. Alice generates nonce A^^i = 4 and sends 

Ma = 54+(i+2+3+4+5) (mod 23) =5^^ (mod 23) 

= 7 

2. Suppose Bob wants secrets S^ and S^. He therefore chooses Xi = 3 and 
X2 = 5. He generates the nonces A''^^ = 10, = 6 and Nb-^ = 12. 
[Here, A'^g = k x where k = 2 which is a factor of Nb^^]- 

3. Bob calculates and sends the messages 

Ml = {^f (mod 23) = (7 x IQ-^ (mod 23) 

= 35 (mod 23) 
= 13 

M2 = {^f (mod 23) = (7 X 20~^f (mod 23) 

= 135 (mod 23) 
= 4 

4. Bob also sends Mb = 5^° (mod 23) = 9. 

5. Alice generates nonce = 8 and the calculates the following keys: 
Ka, = (919-1)8 (mod 23) = 9 

= (9^9-2)8 (mod 23) = 6 
Ka, = (9^9-3)8 (mod 23) = 4 
Ka, = {g^^-y (mod 23) = 18 
Ka, = (9^9"^)^ (mod 23) = 12 

Alice encrypts Si with the key Ka^ , >S'2 with the key Ka2 and so on. 

6. Alice calculates and sends Mi^^a (mod p) = 13^ (mod 23) = 2 and 
M2^^2 (mod p) = 48 (mod 23) = 9 to Bob. 
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7. Bob calculates Kb^ =26 (mod 23) = 4, and 
Kb^ = 9^ (mod 23) = 12. 

8. Alice sends all the encrypted secrets to Bob i.e. {Si}j^^ , {S2}k^ y 

9. We can see that the keys generated for 5*3 and by both Alice and 
Bob are 4 and 12 respectively. 

Thus, the generated keys by Alice and Bob (i.e. K^^ and Kb ) for all the 
chosen secrets ([Ik]) are the same. The keys have thus been exchanged by 
parties obliviously and can use a symmetric key cryptosystem for the transfer 
of secrets. 

6.3 Cost Analysis 

The computational cost at Alice's and Bob's end can be seen to he n + k and 
2k respectively [0{n + k) and 0{2k)]. This is equal to the computational 
cost at either end in the scheme proposed in [17]. The transfer cost would 
be equal to r?, + 2A; + 2 [0{n + k)]. This again is equal in order to the scheme 
proposed in the paper in [17]. 

7 Conclusion 

The protocol in this paper equals the order of the 1-out-of-n protocol in 
[5] both in computation and transfer. For /c-out-of-n Oblivious Transfer, 
it compromises on the adaptive nature of their protocol and requires that 
both parties decide on the number k of secrets to be transferred before the 
execution of the actual protocol. However, it improves the cost of their 
/c-out-of-n protocol and equals the order of the scheme proposed in [17]. 
The hash function used to avoid the same message attack takes negligible 
computational cost due to the availability of very fast hashing algorithms. 
The transfer of these also induces a minor overhead that does not affect the 
order of the transfer cost. 

The protocol uses Diffte-Hellman [6] based keys to encrypt and decrypt 
the secrets. Our scheme basically allows both the parties to obliviously gen- 
erate Diffie-Hellman keys. Such a primitive can be used in other applications 
that use Diffie-Hellman based keys to ensure privacy. 
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Although the order of the A;-out-of-n protocol presented in this paper 
and that proposed in [17] are the same, it is important to note that the 
all the three rounds in the scheme proposed by Wu et.al. [17] involve the 
transmission of the secret itself in an encrypted form. For smaller secrets, 
both the protocols may exhibit similar performance. However, as the size of 
the secrets increases, (in case of files) [17] 's protocol would have the rather 
unnecessary overhead of transmitting the entire file in its encrypted form 
(which of course cannot be significantly smaller than the file itself). Our 
protocol on the other hand, transmits the encrypted secret only once and 
thus will save significant bandwidth in a scenario involving large secrets. We 
believe that such a scenario may occur frequently in applications such as 
internet shopping for digital commodities, exchange of digital secrets, file 
transfers, etc. Our protocol would be able to perform significantly better 
under such circumstances. 
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